Django

Code

Ticket #3304 (new)

Opened 1 year ago

Last modified 2 weeks ago

[patch] Support "httponly"-attribute in session cookie.

Reported by: arvin Assigned to: nobody
Milestone: post-1.0 Component: Core framework
Version: SVN Keywords:
Cc: sam@robots.org.uk Triage Stage: Someday/Maybe
Has patch: 1 Needs documentation: 1
Needs tests: 1 Patch needs improvement: 1

Description

The cookie used for the session id should get the "httponly"-attribute to mitigate XSS. See http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp.

Attachments

python.diff (1.1 kB) - added by arvin on 01/16/07 18:20:27.
Patch for python
django.diff (2.3 kB) - added by arvin on 01/16/07 18:21:05.
Patch for django
httponly.patch (3.8 kB) - added by cephelo@gmail.com on 03/24/07 21:56:24.
patch for supporting HttpOnly? in cookies/session
httponly_docs.patch (2.6 kB) - added by cephelo@gmail.com on 03/24/07 21:56:51.
HttpOnly? cookie docs

Change History

01/14/07 20:42:08 changed by Simon Willison

I've always wondered if there's a downside to doing this - it seems like a great idea, but you rarely see sites actually doing it. It should definitely be possible to do this from Django, but I'd like confirmation that it doesn't break things for some browsers / proxies / what have you before recommending it be turned on by default. As far as I can tell it breaks the cookie spec (if such a thing exists).

01/16/07 18:19:24 changed by arvin

You are right that only few site use it, e.g. time.com. Maybe because most tools don't support it yet. PHP has it only since 5.2.0, Python doesn't have it so far.

The cookie spec is here:
http://wp.netscape.com/newsref/std/cookie_spec.html
http://www.faqs.org/rfcs/rfc2109.html

Firefox will likely have support in the far future:
https://bugzilla.mozilla.org/show_bug.cgi?id=178993

I'll attach two patches, one for python and one for django. With those it works for me with the development server. Since I'm new to django I might miss something.

01/16/07 18:20:27 changed by arvin

  • attachment python.diff added.

Patch for python

01/16/07 18:21:05 changed by arvin

  • attachment django.diff added.

Patch for django

01/16/07 18:30:21 changed by arvin

  • summary changed from Support "httponly"-attribute in session cookie. to [patch] Support "httponly"-attribute in session cookie..

Of course enabling SESSION_COOKIE_HTTPONLY without the python patch breaks the system. If the patches look good to you I will send the python patch to the project.

01/17/07 16:12:17 changed by

  • milestone deleted.

Milestone Version 1.0 deleted

(follow-up: ↓ 7 ) 01/18/07 00:47:39 changed by mir@noris.de

  • needs_better_patch set to 1.
  • stage changed from Unreviewed to Design decision needed.
  • needs_tests set to 1.
  • needs_docs set to 1.

Hmm, we probably can't use a patch that requires a patched python. Any different solution?

Also, could you point me to where the RFC is talking about 'httponly'? I couldn't find it at all. According to the specs from the Microsoft site, it makes the cookie unavailable to script languages.

01/18/07 03:54:39 changed by ubernostrum

It's worth noting that IE is the only browser likely to support this in the foreseeable future; the bug for it at Mozilla is still marked as NEW nearly four years after opening, and no-one seems to know what other vendors will do.

(in reply to: ↑ 5 ) 01/18/07 06:46:40 changed by arvin

Replying to mir@noris.de:

Hmm, we probably can't use a patch that requires a patched python. Any different solution?

Surely Python itself has to be extended. In Django we can check sys.hexversion and write that the feature only works with e.g. python 2.6 or higher.

Also, could you point me to where the RFC is talking about 'httponly'? I couldn't find it at all. According to the specs from the Microsoft site, it makes the cookie unavailable to script languages.

The RFC doesn't talk about 'httponly'. Microsoft introduced it later on.

The attribute makes the cookie unavailable to scripts in the browser, e.g. Javascript injected through XSS.

03/24/07 21:56:24 changed by cephelo@gmail.com

  • attachment httponly.patch added.

patch for supporting HttpOnly? in cookies/session

03/24/07 21:56:51 changed by cephelo@gmail.com

  • attachment httponly_docs.patch added.

HttpOnly? cookie docs

03/24/07 21:57:54 changed by cephelo@gmail.com

I've attached two new patches. The first is a patch to the Django sources that wraps the Python Cookie.py objects with very minimal wrappers. They merely intercept the HttpOnly? flag and work with it, the rest is handled as before with Cookie/Morsel and SimpleCookie?. It provides a SESSION_HTTP_ONLY setting True/False/None. It also provides the hook in HttpResponse.set_cookie(..., httponly=True). The second setting updates the docs/.

Firefox 3.0 will have it, it's working in 3.0a3, as I just tested my patch with. Also works fine in IE7.

Mozilla Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=178993

09/06/07 09:05:23 changed by anonymous

Opera 9.50a1 also supports HttpOnly?: http://snapshot.opera.com/windows/w950a1.html.

11/08/07 09:18:39 changed by anonymous

  • cc set to sam@robots.org.uk.

12/01/07 08:13:11 changed by jacob

  • stage changed from Design decision needed to Someday/Maybe.

Hacking around the Python Cookie objects just gives off that "code smell" to me, and I'm reluctant to check in smelly code to support a non-standard addition to HTTP.

Still, added security is always a good thing, so I'm pretty conflicted about this one. For now I'm going to mark this "somday/maybe" and move on, but a better patch would help move this back towards reality.

06/22/08 09:34:13 changed by mrts

  • milestone set to post-1.0.

This looks not to be in scope for 1.0.

Add/Change #3304 ([patch] Support "httponly"-attribute in session cookie.)




Change Properties
Action